It took a while, but late last week someone wondered “how many Strava users are members of the military or national security groups, and are uploaded their activity?” The answer is “plenty - and they've revealed where they work, where they live, when they were sent to a new outpost and where to ambush them when they least expect it."

Ever since Nathan Ruser, an international security student at the Australian National University, observed that Strava's data included the exercise routes of military and natsec personnel, locating military installations in Strava's has become a social media sensation.

Strava released their global heatmap. 13 trillion GPS points from their users (turning off data sharing is an option).

— Ketan Joshi (@KetanJ0) January 28, 2018
Observers have also noted that Strava hasn't revealed much more than was already already visible on Google Earth. For example, here's Pine Gap again, this time from Google:

Google's got a much clearer image of Pine Gap

Strava's explanation of how it made the Heatmap says it excluded data that users asked to be kept private. The service allows users to create multiple "privacy zones" with a radius of up to 1km. When users enter such the zones, their digital tracks disappear in order to make it harder to figure out where they live or work.

Data revealing the location of sensitive facilities, or the habits of military personnel, would therefore have been excluded if users had employed Strava's privacy settings.

However, as Ruser later tweeted, the location of bases isn't the only concern: the ability to establish “pattern of life” information also makes the Heatmap a serious source of risk – mainly because people weren't keeping their information private.

If soldiers use the app like normal people do, by turning it on tracking when they go to do exercise, it could be especially dangerous. This particular track looks like it logs a regular jogging route. I shouldn't be able to establish any Pattern of life info from this far away pic.twitter.com/Rf5mpAKme2

— Nathan Ruser (@Nrg8000) January 27, 2018
The Daily Beast's Adam Rawnsley noticed the app can even reveal troop movements, if new Strava users pop up in an area around a military base:

Pretty faint but data from the Strava exercise app shows like China has deployed joggers to its disputed Woody Island in the South China Sea, in addition to fighter jets and HQ-9 SAMs pic.twitter.com/HG6zkb8tcw

It just keeps getting deeper. You can also trivially scrape segments, to get a list of people who travelled a route, and trivially obtain a list of users. #Stravapic.twitter.com/U9DnPsyHUD

— Paul D (@Paulmd199) January 28, 2018
We are just now all seeing how much you can learn from this data now that it is publicly accessible, but all of that *already was possible* if one had access to the data. https://t.co/rB2fto3w6H

— Dino A. Dai Zovi (@dinodaizovi) January 29, 2018
Beyond the military frenzy, however, El Reg agrees with observations that the heat map is sufficiently detailed to pose a risk to individuals. Infosec bod Brian Haugli noticed that the heatmap reaches all the way to your door:

You can see individuals that are using Strava by zooming it to houses that have a short line. Strava gives the ability to set up privacy zones, but it's not on by default. pic.twitter.com/azqZFXiVQZ

— Brian (@BrianHaugli) January 28, 2018
Even if individuals had set up the area around their homes as privacy zones, which Haugli noted is not the default, the dataset still contains a level of personally identifying information that shouldn't have been published by Strava, according to European privacy researcher Lukasz Olejnik.

Olejnik said at the least, someone should have conducted a privacy impact statement before pressing “publish” on the dataset.

He told The Register in an email: “This highlights the challenges of location data anonymisation, and how mass datasets reveal unexpected patterns. Organisations should carefully consider consequences on multiple levels prior to publishing private data.

“That said, making a privacy impact assessment of this kind of a project would be quite an adventure.”

Olejnik also tweeted that Europe's General Data Protection Regulation (GDPR) considers location to be sensitive information, meaning publication should be handled with care."

Click to expand...

New strife for Strava: Location privacy feature can be made transparent
Circles within circles make it easy to find the midpoint
By Richard Chirgwin 8 Feb 2018 at 04:03https://www.theregister.co.uk/2018/02/08/strava_privacy_still_leakable/
"Hidden in plain sight: Wandera thinks it can use entries and exits from privacy zones to deduce Strava users' start points.

Wandera's analysis comes after Strava released a "heat map" that was found to offer clues to the location of military bases. Such data was only captured because Strava's privacy feature is off by default. When it's on, the feature creates a virtual bubble in which users' activities aren't tracked.

But as Wandera's Liarna La Porta wrote, the privacy zone might not be enough: “If an activity on Strava is circular in nature and the return route is from the opposite direction, it is relatively easy to deduce the mid-point and where the privacy zone is centred on.

If there are not two exact opposite points, it’s possible to use a third point from a different activity and solve the equation of a circle passing through 3 points.”

As the company's Dan Cuddeford added: “Assuming Strava’s user base is made up of serious cyclists who invest heavily in the best equipment, the app can be used by criminals as an accurate map of where to find expensive bikes they might want to steal.”

Wandera said it notified Strava about the issue. Strava reportedly responded by saying the feature is working as intended. However, La Porta added, it would probably be better if the Privacy Zone was randomised rather than set to a specific radius.

Another simple fix is to centre Strava's privacy zone on something other than your home, office or wherever you start to run or ride. By placing it a couple of hundred meters away, you'll make home-hacking harder. (One Reg operative hit on this idea a while ago, not to preserve privacy but to make his efforts on a tasty hill would be included in Strava's records.)

Dude I was formatting my laptop the other day at like 2 AM in the morning. So Windows was installing while I went to the kitchen to have a meal. All of a sudden Cortana starts speaking and I froze for a second, thinking crap is my house haunted? are their thieves here? I was seriously scared and didn't know what to do. Until I realized that it's that annoying digital crap Cortana speaking so I quickly ran to my room and muted my computer before she wakes every one up! Microsoft should seriously STOP! We don't want that crap!

Dude I was formatting my laptop the other day at like 2 AM in the morning. So Windows was installing while I went to the kitchen to have a meal. All of a sudden Cortana starts speaking and I froze for a second, thinking crap is my house haunted? are their thieves here? I was seriously scared and didn't know what to do. Until I realized that it's that annoying digital crap Cortana speaking so I quickly ran to my room and muted my computer before she wakes every one up! Microsoft should seriously STOP! We don't want that crap!

Click to expand...

On RS4, its more intelligent and I asked her to Keep Quiet but she was going on and on... Finally found the mute button and also clicked Set Cortana Later option too.
Yes, Cortana confused my parent's too, I was setting up my PC few months ago and suddenly a Woman's voice came up! Mom asked me who am I talking to? I said it was PC and she was like duh!??